Start and stop Splunk Enterprise

Start Splunk Enterprise on Windows

On Windows, Splunk Enterprise installs by default into C:\Program Files\Splunk. Many examples in the Splunk documentation use $SPLUNK_HOME to indicate the Splunk installation directory. You can replace the string $SPLUNK_HOME (and the Windows variant %SPLUNK_HOME%) with C:\Program Files\Splunk if you installed Splunk Enterprise into the default directory.

Splunk Enterprise installs with two services, splunkd and splunkweb. In normal operation, only splunkd runs, handling all Splunk Enterprise operations, including the Splunk Web interface. To change this, you must put Splunk Enterprise in legacy mode. Read Start Splunk Enterprise on Windows in legacy mode.

You can start and stop Splunk on Windows in one of the following ways:

Web interface (in legacy mode only): splunkweb. In normal operation, this service starts, then immediately quits when it receives a start request.

2. Start and stop Splunk Enterprise services from a command prompt by using the NET START <service> or NET STOP <service> commands:

Server daemon and Web interface: splunkd

Web interface (in legacy mode only): splunkweb. In normal operation, this service starts, then immediately quits when it receives a start request.

3. Start, stop, or restart both processes at once by going to %SPLUNK_HOME%\bin and typing

> splunk [start|stop|restart]

Start Splunk Enterprise on Windows in legacy mode

If you want run Splunk Enterprise in legacy mode, where splunkd and splunkweb both run, you must change a configuration parameter.

Important: Do not run Splunk Web in legacy mode permanently. Use legacy mode to temporarily work around issues introduced by the new integration of the user interface with the main splunkd service. Once you correct the issues, return Splunk Web to normal mode as soon as possible.

To put Splunk Enterprise in legacy mode:

1. From a command prompt, go to %SPLUNK_HOME%\etc\system\local.

2. Edit %SPLUNK_HOME%\etc\system\local\web.conf, or create a new file named web.conf in %SPLUNK_HOME%\etc\system\local if one does not already exist. See How to edit a configuration file.

3. In web.conf, set the appserverPorts and httpport attributes as follows:

Start Splunk Enterprise on UNIX

Splunk Enterprise installs with one process on *nix, splunkd. In normal operation, only splunkd runs, handling all Splunk Enterprise operations, including the Splunk Web interface. To change this, you must put Splunk Enterprise in legacy mode. See "Start Splunk Enterprise on Unix in legacy mode."

Start Splunk Enterprise

From a shell prompt on the Splunk Enterprise server host, run this command:

Note: If either the startwebserver attribute is disabled, or the appServerPorts attribute is set to anything other than 0 in web.conf, then manually starting splunkweb does not do anything. The splunkweb process will not start in either case. See Start Splunk Enterprise on Unix in legacy mode."

To restart Splunk Enterprise (splunkd or splunkweb) type:

# splunk restart

# splunk restart splunkd

(in legacy mode only) # splunk restart splunkweb

Start Splunk Enterprise on Unix in legacy mode

If you want run Splunk Enterprise in such a way that splunkd and splunkweb both run, you must put Splunk Enterprise into legacy mode.

To put Splunk Enterprise in legacy mode:

1. From a shell prompt, go to $SPLUNK_HOME/etc/system/default.

2. Make a copy of web.conf and place it into $SPLUNK_HOME/etc/system/local.

3. Edit web.conf in $SPLUNK_HOME/etc/system/local.

4. In web.conf, set the appserverPorts and httpport attributes as follows:

If Splunk Enterprise runs in legacy mode, you will see an additional line in the output:

splunkweb is running (PID: 3216).

Note: On Unix systems, you must be logged in as the user who runs Splunk Enterprise to run the splunk status command. Other users cannot read the necessary files to report status correctly.

If splunk status decides that the service is running it will return the status code 0, or success. If splunk status determines that the service is not running it will return the Linux Standard Base value for a non-running service, 3. Other values likely indicate splunk status has encountered an error.

You can also use ps to check for running Splunk Enterprise processes:

# ps aux | grep splunk | grep -v grep

Solaris users should use the -ef arguments to ps instead of aux:

# ps -ef | grep splunk | grep -v grep

Restart Splunk Enterprise from Splunk Web

You can also restart Splunk from Splunk Web:

1. Navigate to System > Server controls.

2. Click Restart Splunk.

This will restart the splunkd and (in legacy mode only) the splunkweb processes.

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »